240 likes | 417 Views
Network Security Part I: Concepts. Raj Jain Washington University Saint Louis, MO 63131 Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/. Overview. Security Statistics, Attacks, Requirements Secret Key and Public Key Encryption
E N D
Network SecurityPart I: Concepts Raj Jain Washington UniversitySaint Louis, MO 63131Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/
Overview • Security Statistics, Attacks, Requirements • Secret Key and Public Key Encryption • Hash Functions • Message Authentication Code (MAC) • Digital Signature and Digital Certificates • RSA Public Key Encryption
Security Threat Statistics • DoD networks were attacked 250000 times in 1995 (well before Internet popularity) • Of 38,000 friendly attacks, 65% succeeded • Only 4% of successful attacks were noticed by network administrators • Only a small fraction of those noticed were reported to authorities • FBI reports 163 organizations lost $123M in 1999 • Ref: M. Markow, “VPN for Dummies,” IDG Books, 1999.
Security Attacks • Passive: • Release of message contents: Eavesdropping • Traffic analysis: monitoring frequency and length of messages, even encrypted nature of communication may be guessed • Difficult to detect • Active: • Masquerade: Pretend to be some one else • Replay: Capture and reuse for unauthorized effect • Modification of message • Denial of Service
Security Requirements • Integrity: Received = sent? • Availability: Legal users should be able to use. Ping continuously No useful work gets done. • Confidentialityand Privacy: No snooping or wiretapping • Authentication: You are who you say you are. A student at Dartmouth posing as a professor canceled the exam. • Authorization = Access Control Only authorized users get to the data
Link vs End-to-End Encryption • Link All traffic secure. Vulnerable inside switches
Secret Key Encryption • Also known as symmetric encryption • Encrypted_Message = Encrypt(Key, Message) • Message = Decrypt(Key, Encrypted_Message) • Example: Encrypt = division • 433 = 48 R 1 (using divisor of 9)
Public Key Encryption • Invented in 1975 by Diffie and Hellman • Encrypted_Message = Encrypt(Key1, Message) • Message = Decrypt(Key2, Encrypted_Message) Key1 Text Ciphertext Key2 Ciphertext Text
Public Key Encryption • RSA: Encrypted_Message = m3 mod 187 • Message = Encrypted_Message107 mod 187 • Key1 = <3,187>, Key2 = <107,187> • Message = 5 • Encrypted Message = 53 = 125 • Message = 125107 mod 187 = 5= 125(64+32+8+2+1) mod 187 = {(12564 mod 187)(12532 mod 187)...(1252 mod 187)(125 mod 187)} mod 187
Modular Arithmetic • xy mod m = (x mod m) (y mod m) mod m • x4 mod m = (x2 mod m)(x2 mod m) mod m • xij mod m = (xi mod m)j mod m • 125 mod 187 = 125 • 1252 mod 187 = 15625 mod 187 = 104 • 1254 mod 187 = (1252 mod 187)2 mod 187 = 1042 mod 187 = 10816 mod 187 = 157 • 1288 mod 187 = 1572 mod 187 = 152 • 12816 mod 187 = 1522 mod 187 = 103 • 12832 mod 187 = 1032 mod 187 = 137 • 12864 mod 187 = 1372 mod 187 = 69 • 12864+32+8+2+1 mod 187 = 69×137×152×104×125 mod 187 = 18679128000 mod 187 = 5
Public Key (Cont) • One key is private and the other is public • Message = Decrypt(Public_Key, Encrypt(Private_Key, Message)) • Message = Decrypt(Private_Key, Encrypt(Public_Key, Message)) Msg Msg Alice’sPublic Key Alice’sPrivate Key Msg Msg Bob’sPublic Key Bob’sPrivate Key
Hash Functions Example: CRC can be used as a hash (not recommended for security applications) Requirements: • Applicable to any size message • Fixed length output • Easy to compute • Difficult to Invert Can’t find x given H(x) One-way • Difficult to find y, such that H(x) = H(y) Can’t change msg • Difficult to find any pair (x, y) such that H(x) = H(y) Strong hash 12345678901234567 Hash 12345678901234767 Hash
Digital Signature • Message Digest = Hash(Message) • Signature = Encrypt(Private_Key, Hash) • Hash(Message) = Decrypt(Public_Key, Signature) Authentic • Also known as Message authentication code (MAC) Private Key Hash Digest Text Signature Public Key Hash Signature Digest Text
Message Authentication Code (MAC) • Authentic Message = Contents unchanged + Source Verified • May also want to ensure that the time of the message is correct • Encrypt({Message, CRC, Time Stamp}, Source’s secret key) • Message + Encrypt(Hash, Source’s secret key) • Message + Encrypt(Hash, Source’s private key) Message MAC
Digital Certificates • Like driver license or passport • Digitally signed by Certificate authority (CA) - a trusted organization • Public keys are distributed with certificates • CA uses its private key to sign the certificate Þ Hierarchy of trusted authorities • X.509 Certificate includes: Name, organization, effective date, expiration date, public key, issuer’s CA name, Issuer’s CA signature EncryptCA private key User IDPublic Key hash User IDPublic Key
Key Distribution • Application requests connection • Security service asks KDCfor session Key • KDC distributes session keyto both hosts • Buffered packet transmitted KeyDistributionCenter KDC shares a secret key with each Host.
Confidentiality • User 1 to User 2: • Encrypted_Message = Encrypt(Public_Key2, Encrypt(Private_Key1, Message)) • Message = Decrypt(Public_Key1, Decrypt(Private_Key2, Encrypted_Message) Authentic and Private Your PublicKey My PrivateKey Message
RSA Public Key Encryption • Ron Rivest, Adi Shamir, and Len Adleman at MIT 1978 • Both plain text M and cipher text C are integers between 0 and n-1. • Key 1 = {e, n}, Key 2 = {d, n} • C = Me mod nM = Cd mod n • How to construct keys: • Select two large primes: p, q, p ≠ q • n = p×q • Calculate = (p-1)(q-1) • Select e, such that lcd(, e) = 1; 0 < e < s • Calculate d such that de mod = 1
RSA Algorithm: Example • Select two large primes: p, q, p ≠ qp = 17, q = 11 • n = p×q = 17×11 = 187 • Calculate = (p-1)(q-1) = 16x10 = 160 • Select e, such that lcd(, e) = 1; 0 < e < say, e = 7 • Calculate d such that de mod = 1 • 160k+1 = 161, 321, 481, 641 • Check which of these is divisible by 7 • 161 is divisible by 7 giving d = 161/7 = 23 • Key 1 = {7, 187}, Key 2 = {23, 187}
Summary • Passive and active attacks • Secret Key and Public Key Encryption • Secure Hash Functions • Message Authentication Code (MAC) • Digital Signature and Digital Certificates • RSA Public Key Encryption based on exponentiation
Reading Assignment • Read Sections 21.1 through 21.4 of 7th edition of Stallings. You can skip AES, SHA-1 during this part.
Homework • Submit answer to Exercise 21.6 in Stallings’ 7th edition